Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe/Windows Update/Web Redirection


  • This topic is locked This topic is locked
3 replies to this topic

#1 mpizzo10

mpizzo10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 23 November 2010 - 10:37 PM

Been having a lot of trouble with a PC. Almost a month ago, this PC was severely infected with a virus that called itself Antivirus8. I thought I had gotten rid of all the infections. There were times when I couldnt go to the Windows Update website, as the infection seemed to block me from getting there. I had that problem fixed, and now I am back to being unable to access the Windows Update website.

I am wondering if it is related to another issue I have with the PC. I have seen the following error several times: "generic host process for win32 services has encountered a problem and needs to close". Also, svchost.exe will take up nearly 100% of the CPU for long periods of time.



I received an error report (details shown in photo attached). I googled svchost.exe and the other file mentioned in the error report (ntdll.dll) in the same search. I found a bunch of forums/sites with other's troubles and solutions with the same problem I am having. Apparently, windows addressed this in one of their updates. Also, many state that the issue is related to svchost.exe trying to access updates and it is unable to. There are several suggestions by people, and I am hesitant to choose which to do, especially since most are around 3 years old. One solution suggests to run ComboFix. I wanted to run it, but ComboFix indicates that AntiVir, AOL Antivirus, and AVG need to be disabled. Antivir and AVG have been uninstalled, and I have no idea where AOL Antivirus is. I don't understand why ComboFix sees them as running processes. (After reading the guidelines, I know not to use ComboFix without being told to do so.)

One final thing, while surfing the web, there are times when I will be redirected against my will. Also, very recently, my homepage of IE was changed to msn.com (not by choice).

If possible, I could really use some help with this.

Please note: I am having trouble posting this on the infected PC (using IE and Firefox). It says IE cannot display the webpage. This, somehow, is affecting my upload quota. After a few attempts, I can now only attach the Attach.txt file. Ark.txt and the photo of the error report are too big. As a result, I copied/pasted the Ark.txt file after the DDS log in the post.


DDS (Ver_10-11-10.01) - NTFSx86
Run by John at 21:08:39.62 on Tue 11/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.82 [GMT -5:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-014B-0D24-347CA8A3377C}
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00DB-0D24-347CA8A3377C}
AV: AOL Antivirus *On-access scanning enabled* (Updated) {164FF91F-F5BD-4B74-A9DC-932CECB1603B}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {804E5358-FFA4-00EC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C}
FW: AOL Firewall *enabled* {6515F560-BD88-41EB-AD77-F1F3F6F80BEA}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\Program Files\Emsisoft\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Emsisoft\Online Armor\oaui.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Emsisoft\Online Armor\OAhlp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HostManager] c:\program files\common files\aol\1125946752\ee\AOLSoftware.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [@OnlineArmor GUI] "c:\program files\emsisoft\online armor\oaui.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1014020
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.20/uploader2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/43.10/uploader2.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288724950125
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154980515546
DPF: {6EC00533-A02A-4C97-A93C-66BDB184EBD7} - hxxp://nwmiddle.udayton.edu/nls/English/ZfdInstallMgr.cab
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
STS: {B1BA20C1-A503-59BD-F412-03B53A2C8951} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\emsisoft\online~1\oaevent.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\rrquueyz.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {47F579EB-CAAC-486B-9D93-C24124D8D725} - c:\documents and settings\john\local settings\application data\{47f579eb-caac-486b-9d93-c24124d8d725}\
FF - HiddenExtension: XULRunner: {8624C5D8-18B9-4F97-B3CE-68BF1D4DA700} - c:\documents and settings\mario graziano\local settings\application data\{8624C5D8-18B9-4F97-B3CE-68BF1D4DA700}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{533E0C23-ACE9-42B4-9D8B-E670989AF702}");

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 OADevice;OADriver;c:\windows\system32\drivers\oadriver.sys [2010-11-1 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-11-1 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-11-1 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R2 OAcat;Online Armor Helper Service;c:\program files\emsisoft\online armor\oacat.exe [2010-11-1 1283400]
R2 SvcOnlineArmor;Online Armor;c:\program files\emsisoft\online armor\oasrv.exe [2010-11-1 3364680]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\john\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\john\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 Iprip;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2004-12-10 30336]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\mario graziano\desktop\sysprot\sysprot\sysprotdrv.sys [2010-11-7 44288]

=============== Created Last 30 ================

2010-11-23 22:09:14 2296 ----a-w- c:\windows\system32\tmp.reg
2010-11-18 04:12:27 -------- d-sh--w- c:\documents and settings\john\PrivacIE
2010-11-18 02:47:25 -------- d-sh--w- c:\documents and settings\john\IECompatCache
2010-11-17 01:57:46 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4981f31b-54a7-4b54-81aa-3290c810f007}\mpengine.dll
2010-11-17 01:53:10 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-17 01:47:51 -------- d-----w- c:\docume~1\john\applic~1\OnlineArmor
2010-11-17 01:43:38 13063352 ----a-w- c:\program files\mssefullinstall-x86fre-en-us-xp.exe
2010-11-16 20:55:07 996864 ----a-w- c:\docume~1\john\locals~1\applic~1\364770072.exe
2010-11-16 20:54:14 189 ----a-w- c:\docume~1\john\applic~1\scgdfgasfbh.bat
2010-11-16 20:53:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-16 20:43:43 -------- d-sh--w- c:\documents and settings\john\IETldCache
2010-11-16 01:20:07 1402880 ----a-w- c:\program files\HiJackThis.msi
2010-11-15 02:44:49 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-15 01:33:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-15 01:32:33 -------- d-----w- c:\program files\AVG
2010-11-15 01:21:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-15 01:11:16 144271272 ----a-w- c:\program files\avg_free_x86_all_2011_1153a3218.exe
2010-11-11 00:50:16 89088 ----a-w- C:\mbr.exe
2010-11-10 00:04:50 328 ----a-w- C:\Start_.cmd
2010-11-10 00:04:50 -------- d-----w- C:\third
2010-11-09 06:35:43 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{c060c08d-1820-4970-8527-9805f3782e6d}\mpengine.dll
2010-11-09 02:22:19 -------- d-----w- c:\program files\ESET
2010-11-07 01:24:16 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-11-07 01:24:11 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-11-07 01:24:10 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-11-07 01:24:05 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-11-07 01:24:00 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-11-07 01:23:12 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-11-07 01:23:05 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-11-07 01:23:03 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-11-07 01:22:59 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-11-07 01:22:58 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-11-07 01:22:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-11-07 01:22:39 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-11-07 01:22:37 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-11-07 01:22:33 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-11-07 01:22:21 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-11-07 01:22:15 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-11-07 01:22:04 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2010-11-07 01:22:04 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2010-11-07 01:22:03 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2010-11-07 01:22:00 35871 -c--a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-11-07 01:20:57 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2010-11-07 01:19:58 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-11-07 01:18:56 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-11-07 01:18:53 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys
2010-11-07 01:18:49 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2010-11-07 01:18:44 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-11-07 01:18:37 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-11-07 01:18:33 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-11-07 01:18:27 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-11-07 01:18:20 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-11-07 01:18:16 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-11-07 01:18:09 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-11-07 01:18:04 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-11-07 01:18:00 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-11-07 01:16:57 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-11-07 01:15:59 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2010-11-07 01:14:58 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2010-11-07 01:13:52 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-11-07 01:12:59 65664 -c--a-w- c:\windows\system32\dllcache\s3legacy.sys
2010-11-07 01:12:55 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2010-11-07 01:12:51 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
2010-11-07 01:12:48 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-11-07 01:12:43 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2010-11-07 01:12:39 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-11-07 01:12:36 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-11-07 01:12:32 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-11-07 01:12:27 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-11-07 01:12:23 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-11-07 01:12:19 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-11-07 01:12:16 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-11-07 01:12:12 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-11-07 01:10:58 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-11-07 01:09:58 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys
2010-11-07 01:08:58 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-11-07 01:08:54 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-11-07 01:08:46 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-11-07 01:08:43 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-11-07 01:08:35 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-11-07 01:08:27 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-11-07 01:08:24 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-11-07 01:08:19 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2010-11-07 01:08:14 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-11-07 01:08:11 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2010-11-07 01:06:57 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-11-07 01:06:54 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-11-07 01:06:51 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-11-07 01:06:48 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-11-07 01:06:45 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-11-07 01:06:39 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-11-07 01:06:28 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-11-07 01:06:26 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-11-07 01:06:21 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-11-07 01:06:11 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-11-07 01:06:08 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-11-07 01:05:53 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-11-07 01:05:49 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-11-07 01:05:47 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-11-07 01:05:35 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-11-07 01:05:25 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-11-07 01:05:19 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-11-07 01:05:16 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-11-07 01:05:14 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2010-11-07 01:05:11 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-11-07 01:05:08 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-11-07 01:05:04 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-11-07 01:03:58 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-11-07 01:03:55 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-11-07 01:03:52 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2010-11-07 01:03:46 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2010-11-07 01:03:43 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2010-11-07 01:03:41 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2010-11-07 01:03:29 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-11-07 01:03:27 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-11-07 01:03:10 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-11-07 01:03:07 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-11-07 01:03:04 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-11-07 01:03:02 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-11-07 01:02:51 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-11-07 01:02:49 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2010-11-07 01:02:47 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2010-11-07 01:02:45 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2010-11-07 01:02:45 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2010-11-07 01:02:43 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2010-11-07 01:02:33 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2010-11-07 01:02:31 90200 -c--a-w- c:\windows\system32\dllcache\io8ports.dll
2010-11-07 01:02:28 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2010-11-07 01:02:24 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2010-11-07 01:02:00 81920 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-11-07 01:00:43 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-11-07 00:59:57 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll
2010-11-07 00:58:58 470144 -c--a-w- c:\windows\system32\dllcache\g200d.dll
2010-11-07 00:57:59 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2010-11-07 00:56:59 66591 -c--a-w- c:\windows\system32\dllcache\el90xbc5.sys
2010-11-07 00:55:59 41046 -c--a-w- c:\windows\system32\dllcache\digiisdn.dll
2010-11-07 00:54:57 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2010-11-07 00:53:39 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-11-07 00:52:59 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2010-11-07 00:51:39 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-11-06 19:03:18 -------- d-----w- C:\_OTL
2010-11-03 19:35:01 -------- d-----w- c:\windows\ie8updates
2010-11-03 19:30:12 -------- dc-h--w- c:\windows\ie8
2010-11-03 19:27:20 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-11-03 19:27:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-03 19:27:15 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-03 19:27:15 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-02 20:10:48 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-02 20:10:48 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-02 20:10:48 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-11-02 20:10:48 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-11-02 20:10:48 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-02 20:10:48 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-11-02 20:10:48 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-02 20:10:47 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2010-11-02 19:45:23 2146304 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-02 19:45:07 2024448 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-11-01 23:57:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor
2010-11-01 23:56:36 22600 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-11-01 23:56:35 28232 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-11-01 23:56:35 236104 ----a-w- c:\windows\system32\drivers\oadriver.sys
2010-11-01 23:56:33 -------- d-----w- c:\program files\Emsisoft
2010-11-01 22:59:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-01 22:59:08 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-01 22:17:05 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-11-01 22:08:06 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-11-01 22:08:06 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-11-01 22:08:05 53248 -c--a-w- c:\windows\system32\dllcache\wamreg51.dll
2010-11-01 22:08:04 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2010-11-01 22:08:04 76800 -c--a-w- c:\windows\system32\dllcache\wam51.dll
2010-11-01 22:08:04 5632 -c--a-w- c:\windows\system32\dllcache\w3svapi.dll
2010-11-01 22:08:04 364032 -c--a-w- c:\windows\system32\dllcache\w3svc.dll
2010-11-01 22:08:03 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll
2010-11-01 22:08:03 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-11-01 22:08:03 4608 -c--a-w- c:\windows\system32\dllcache\w3ctrs51.dll
2010-11-01 22:08:02 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2010-11-01 22:08:02 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2010-11-01 22:06:46 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-11-01 22:05:59 92160 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2010-11-01 22:04:56 829440 -c--a-w- c:\windows\system32\dllcache\inetmgr.dll
2010-10-30 22:33:29 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-30 22:33:29 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-30 22:33:29 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-30 22:33:29 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-29 06:19:26 -------- d-----w- c:\docume~1\john\locals~1\applic~1\{47F579EB-CAAC-486B-9D93-C24124D8D725}
2010-10-28 00:57:40 656896 ----a-w- c:\program files\MicrosoftFixit50525.msi
2010-10-27 03:29:30 648704 ----a-w- c:\program files\MicrosoftFixit50267.msi

==================== Find3M ====================

2010-10-25 01:08:47 8567024 ----a-w- c:\program files\Firefox Setup 3.6.11.exe
2010-10-19 16:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 01:40:16 1064736 ----a-w- c:\program files\VB6.0-KB290887-X86.exe
2010-10-18 01:15:38 133582520 ----a-w- c:\program files\Ad-AwareInstall.exe
2010-10-18 01:12:21 44089904 ----a-w- c:\program files\avira_antivir_personal_en.exe
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-09 13:16:02 3396176 ----a-w- c:\program files\ccsetup233.exe
2009-02-19 00:58:37 35348744 ----a-w- c:\program files\CIS_Setup_3.8.64739.471_XP_Vista_x32.exe
2009-02-17 17:28:53 13229544 ----a-w- c:\program files\OA190Free.exe
2009-02-17 14:38:22 6006816 ----a-w- c:\program files\SUPERAntiSpyware.exe
2009-02-17 14:37:12 16409960 ----a-w- c:\program files\spybotsd162.exe
2006-07-27 21:34:55 11746992 -c--a-w- c:\program files\antivir_workstation_win7u_en_h.exe
2006-07-27 21:25:52 5037072 -c--a-w- c:\program files\spybotsd14.exe
2006-07-27 21:23:13 2166352 -c--a-w- c:\program files\XoftSpy422_193.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8230554C]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8230b604]; MOV EAX, [0x8230b680]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8237FAB8]
3 CLASSPNP[0xF8578FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x822A7030]
\Driver\atapi[0x82399030] -> IRP_MJ_CREATE -> 0x8230554C
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a354b5636394545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82305398
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 21:14:02.92 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-23 21:42:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST380011A rev.8.16
Running: gmer.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pxloapoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwAllocateVirtualMemory [0xEE779ED0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwAssignProcessToJobObject [0xEE77A700]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwConnectPort [0xEE777DA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateFile [0xEE7879C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreatePort [0xEE7778E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateProcess [0xEE774620]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateProcessEx [0xEE774A30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateSection [0xEE773EF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateThread [0xEE775F20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwDebugActiveProcess [0xEE776B90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwDuplicateObject [0xEE7776F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwLoadDriver [0xEE779490]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwOpenFile [0xEE788040]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwOpenProcess [0xEE775A20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwOpenSection [0xEE774310]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwOpenThread [0xEE776420]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwProtectVirtualMemory [0xEE77A350]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwQueryDirectoryFile [0xEE779A70]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwQueueApcThread [0xEE77A8A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwRequestPort [0xEE7789A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwRequestWaitReplyPort [0xEE778F90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwRestoreKey [0xEE787550]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwResumeThread [0xEE777340]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSecureConnectPort [0xEE778190]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSetContextThread [0xEE776970]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSetSystemInformation [0xEE776D30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwShutdownSystem [0xEE779370]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSuspendProcess [0xEE777520]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSuspendThread [0xEE777130]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSystemDebugControl [0xEE776F40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwTerminateProcess [0xEE775C80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwTerminateThread [0xEE776760]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwUnloadDriver [0xEE779780]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwWriteVirtualMemory [0xEE77A520]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [E0, 78, 77, EE, 20, 46, 77, ...] {LOOPNZ 0x7a; JA 0xfffffffffffffff2; AND [ESI+0x77], AL; OUT DX, AL ; XOR [EDX+0x77], CL; OUT DX, AL }
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [20, 75, 77, EE, 30, 71, 77, ...] {AND [EBP+0x77], DH; OUT DX, AL ; XOR [ECX+0x77], DH; OUT DX, AL ; INC EAX; OUTSD ; JA 0xfffffffffffffffa}
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF888B760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF73FFF80]
? C:\DOCUME~1\John\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\csrss.exe[448] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\winlogon.exe[472] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\services.exe[520] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\lsass.exe[532] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\Explorer.EXE[768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\Explorer.EXE[768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[768] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C5000C
.text C:\WINDOWS\Explorer.EXE[768] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[768] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[768] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[768] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[852] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D7000C
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\System32\svchost.exe[928] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0182000A
.text C:\WINDOWS\System32\svchost.exe[928] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\Program Files\Emsisoft\Online Armor\OAcat.exe[1288] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\Program Files\Emsisoft\Online Armor\oasrv.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009D0001
.text C:\Program Files\Emsisoft\Online Armor\oasrv.exe[1308] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Emsisoft\Online Armor\oasrv.exe[1308] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1464] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\ctfmon.exe[1580] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C50001
.text C:\WINDOWS\system32\ctfmon.exe[1580] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1580] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[1580] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\ctfmon.exe[1580] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[1580] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[1580] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1580] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A5000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01A6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01A4000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[2220] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Emsisoft\Online Armor\OAhlp.exe[2356] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01390001
.text C:\Program Files\Emsisoft\Online Armor\OAhlp.exe[2356] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Emsisoft\Online Armor\OAhlp.exe[2356] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Emsisoft\Online Armor\OAhlp.exe[2356] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\wanmpsvc.exe[2448] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01F0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01F1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01EF000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\taskmgr.exe[2920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001
.text C:\WINDOWS\system32\taskmgr.exe[2920] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskmgr.exe[2920] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\taskmgr.exe[2920] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\taskmgr.exe[2920] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\taskmgr.exe[2920] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\taskmgr.exe[2920] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskmgr.exe[2920] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[3216] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B40001
.text C:\WINDOWS\system32\wscntfy.exe[3216] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[3216] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[3216] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\wscntfy.exe[3216] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[3216] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\wscntfy.exe[3216] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\wscntfy.exe[3216] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F1B0F5A
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1E0F5A
.text C:\Documents and Settings\John\Desktop\gmer\gmer.exe[3300] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D00001
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[3448] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009B0001
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F1B0F5A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\system32\dla\tfswctrl.exe[3496] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\AOL\1125946752\ee\AOLSoftware.exe[3524] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3640] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0161000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0162000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0160000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\hkcmd.exe[3812] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\WINDOWS\system32\hkcmd.exe[3812] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\hkcmd.exe[3812] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[3812] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\hkcmd.exe[3812] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\hkcmd.exe[3812] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\hkcmd.exe[3812] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\hkcmd.exe[3812] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\igfxpers.exe[3876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\WINDOWS\system32\igfxpers.exe[3876] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\igfxpers.exe[3876] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[3876] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\igfxpers.exe[3876] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\igfxpers.exe[3876] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\igfxpers.exe[3876] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\igfxpers.exe[3876] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3916] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BA0001
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3956] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Emsisoft\Online Armor\oaui.exe[3988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01740001
.text C:\Program Files\Emsisoft\Online Armor\oaui.exe[3988] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Emsisoft\Online Armor\oaui.exe[3988] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Emsisoft\Online Armor\oaui.exe[3988] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DA0001
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft Security Essentials\msseces.exe[4080] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 82305398
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82305398
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82305398
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 82305398
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Emsisoft)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a354b5636394545202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 156249744 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:01:24 AM

Posted 02 December 2010 - 01:14 AM

Hello, mpizzo10.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for :)
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista or Windows 7, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  • Please download DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

NEXT:
We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an MBR scan
  • Please download MBR.exe and save it to your root directory (usually C:\).
  • Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    C:\mbr.exe -t
    
  • Press enter.
  • An mbr.log should be created in your root directory. Please post its contents in your next reply.

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  • When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  • Please download Rootkit Unhooker from one of the mirrors below and save it to your desktop:
    Mirror 1
    Mirror 2
    Mirror 3
  • Double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • mbr.exe log
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:01:24 AM

Posted 05 December 2010 - 12:04 AM

Hello mpizzo10
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:01:24 AM

Posted 07 December 2010 - 12:04 AM

Due to lack of feedback, this topic has been closed. If you need this topic reopened, please send me a PM with the address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users